Skip navigation
All Places > Products > RSA NetWitness Platform > Blog > Authors Scott Marcus

RSA NetWitness Platform

2 Posts authored by: Scott Marcus Employee

This post details some of the implications of running in a mixed-mode environment. For the purposes of this post, a mixed-mode environment is one in which some services are running on RSA Security Analytics 10.6.x, and others are running on RSA NetWitness 11.x.

 

Note: RSA strongly suggests upgrading your 10.x services to 11.x to match your NetWitness server version, but running in Mixed-Mode allows you to stage your upgrade, especially for larger environments.

 

If you run in a mixed-mode environment for an extended time, you may see or experience some or all of the following behaviors:

Overall Administration and Management Functionality

  • If you add any 10.6.x hosts, you must add them manually to the v11.x architecture.
    • There is no automatic discover, or trust establishment via certificates.
    • You need to manually add them through username and password.
  • In 11.x, a secondary or alternate NetWitness (NW) Server is not currently supported, though this may change for future NetWitness versions.
    • Only the Primary NW Server could be upgraded (which would become "Node0").
    • Secondary NW Servers could be re-purposed to other host types.
  • The Event Analysis View is not available at all in mixed mode, and will not work until ALL devices are upgraded to 11.x.

Mixed Brokers

If you do not upgrade all of your Brokers, the existing Navigate and Event Grid view will still be available.

Implications for ESA

If you follow the recommended upgrade procedure for ESA services, note the following:

  • During the ESA upgrade, the following mongo collections are moved from the ESA mongodb to the NW Server mongodb:
    • im/aggregation_rule.*
    • im/categories
    • im/ tracking_id_sequence
    • context-wds/* // all collections
    • datascience/* // all collections
  • The upgrade process performs some reformatting of the data: so make sure to follow those procedures as described in the Physical Host Upgrade Guide and Physical Host Upgrade Checklist documents, available on RSA Link. One way to find these documents is to open the Master Table of Contents, where links are listed in the Installation and Upgrade section.

 

IMPORTANT!You MUST upgrade your ESA services at the same time you upgrade the NetWitness Server. If you do not, you will have to re-image all of the ESA services as new, and thus lose all of your data. Also, if you do not plan on updating your ESA services, you would need to REMOVE them from the 10.6.x Security Analytics Server before you start your upgrade

Hosts/Services that Remain on 10.6.x

  • If you add a 10.6.x host after you upgrade to 11.x, no configuration management is available through the NetWitness UI. You must use the REST API for this. Existing 10.6.x devices will be connected and manageable via 11.x -- as long as you do not remove any aggregation links.
  • You need to aggregate from 10.6.x hosts to 11.x hosts manually.
    • For example, for a Decoder on 10.6.x and a Concentrator on 11.x:
    • Same applies for any other 11.x service that is aggregating from a 10.6.x host.
  • If you have a secondary Security Analytics Server, RSA recommends that you keep it online to manage any hosts or services that still are running 10.6.x, until you have upgraded them all to 11.x. 

Hybrids

If you are doing an upgrade on a system that has hybrids, the communication with the hybrids will still be functional. The Puppet CA cert is used to as the cert for the upgraded 11.x system, so the trust is still in place.

For example, if you have a system with a Security Analytics or NetWitness Server, an ESA service, and several hybrids, you can upgrade the NW Server and the ESA service, and communications with the hybrids will still work.

Recommended Path Away from Mixed-Mode

For large installations, you can upgrade services in phases. RSA recommends working "downstream." For example:

  1. For the initial phase (phase 1), upgrade the NW Server, ESA and Malware services. Also, upgrade at least the top-level Broker. If you have multiple Brokers, the suggestion is to upgrade all of them in phase 1.
  2. For phase 2, upgrade your concentrators, decoders, and so forth. The suggestion is to upgrade the concentrators and decoders in pairs, so they can continue communicating correctly with each other.

The RSA SecurID dashboard allows analysts to monitor specific identities and their behaviors. It empowers organizations to monitor two-factor environments that utilize RSA's SecurID for authenticating to protected resources. Users can run reports using the NetWitness Report Engine, either ad-hoc or on a recurring schedule.

 

Sample dashboard screen:

SecurID Dashboard Sample

 

Dashlets Contained in this Dashboard

The SecurID dashboard contains the following dashlets:

  • RSA SecurID-Account Lockouts
  • RSA SecurID-Bad PIN Good Token Code
  • RSA SecurID-Bad PIN Previous Token Code
  • RSA SecurID-Bad Token Code Bad PIN
  • RSA SecurID-Bad Token Code Good PIN
  • RSA SecurID-Static Passcode Authentication
  • RSA SecurID-Token Code Reuse
  • RSA SecurID-Unknown User Failed Login

Prerequisites

Before you can deploy the RSA SecurID dashboard, you must meet the following prerequisites:

  • Must be a logs customer
  • Must be ingesting RSA SecurID logs
  • Must be using Security Analytics 10.6.x

Deployment

The RSA SecurID dashboard is not currently delivered through Live. Rather, you need to download a configuration file and add it into your RSA NetWitness Suite UI.

 

You need to download the following attachments from the blog post:

  • RSA_SecurID_Charts.zip (charts)
  • RSA_SecurID.cfg (dashboard)

 

Perform the following procedures to deploy the RSA SecurID Dashboard:

  1. Add the Result Meta Key to Configuration Files
  2. Add a Data Source to a Reporting Engine
  3. Import Charts Archive
  4. Set the Data Source on Each Chart
  5. Enable the Charts
  6. Import the Dashboard Configuration File
  7. Choose Dashlet Charts

Add the Result Meta Key to Configuration Files

To get value out of this dashboard, you need to index the result meta key.

 

To add result key to RSA NetWitness Suite:

  1. Update index-concentrator-custom.xml on the Concentrator, as follows:
    1. In the Security Analytics menu, select Administration > Services, and select a Concentrator.
    2. Select View > Config from the Actions menu.
    3. Select the Files tab, then select the index-concentrator-custom.xml file.
    4. Add the following line: 
      <key description="Result" level="IndexValues" name="result" format="Text" valueMax="10000" defaultAction="Open"/>
    5. Click Apply.
    6. Restart the Concentrator Service.
  2. Update table-map-custom.xml on the Log Decoder, as follows:
    1. In the Security Analytics menu, select Administration > Services, and select a Log Decoder.
    2. Select View > Config from the Actions menu.
    3. Select the Files tab, then select the table-map-custom.xml file.
    4. Add the following line:
      <mapping envisionName="result" nwName="result" flags="None" format="Text" envisionDisplayName="Result|Volume|Information|Reason|Succeed/Failed"/>
    5. Click Apply.
    6. Restart the Log Decoder service.
  3. Remember to restart both the Index Decoder and Concentrator services that you updated, so that your changes are applied.

Add a Data Source to a Reporting Engine

In most cases, for customers that have other reports running, the Data Source is already defined. If so, you can skip this section.

Perform the following steps to associate a data source with a Reporting Engine:

  1. In the Security Analytics menu, select Dashboard > Administration > Services.

  2. In the Services Grid, select a Reporting Engine service.

  3. Click  View > Config.

    The Services Config View of Reporting Engine is displayed.

  4. In the Sources tab, click Available Services.

  5. Select the Concentrator as the Data source.

Import Charts Archive

  1. Download the Charts archive, RSA_SecurID_Charts.zip, which is attached to this blog post.
  2. In the Security Analytics menu, select Reports.
  3. Click Charts.
  4. From the Chart Groups panel, select a folder to import the file.
  5. Do one of the following:
    • ln the Chart Groups panel, click  Import.
    • In the Chart toolbar, click  Import.
  6. Click Browse to navigate to the binary file.
    Security Analytics provides a file system view of the files.
  7. Locate the RSA_SecurID_Charts.zip file that you downloaded in step 1, and click Open.
    The file is added to the Import Chart list. The RSA SecurID rules are available through Live. If you have deployed the rules from Live, then choose to not overwrite on Import.
  8. (Optional) To overwrite any existing rule in the library with an identically named rule in the binary file when importing, check the Rule checkbox. If you do not select the Overwrite option, and an identical rule is encountered in the binary file, the binary file is imported and no error message is displayed.
  9. (Optional) To overwrite any existing chart in the library with an identically named chart in the binary file when importing, check the Chart checkbox. If you do not select the Overwrite option and an identical chart is encountered in the binary file, the binary file is imported and no error message is displayed.
  10. Click Import to import the binary file.

Set the Data Source on Each Chart

  1. For each imported chart, go to Reports > Charts.
  2. Select the Chart and click the edit Icon.
  3. Select the Data Source for each Chart (set to the Concentrator where the Secure ID logs are being aggregated).
  4. Click Save.

Enable the Charts

To enable the charts, do the following:

  1. In the Security Analytics menu, select Reports.
  2. Click Charts.
  3. Click Identity Group.
    The RSA SecureID folder appears.
  4. Select the RSA SecureID folder.
    All charts related to RSA SecureID are listed under the Charts list panel.
  5. In the Charts list panel, select a chart or several charts that display disabled button in the Enabled column.
    select chart dialog box
  6. Click enabled button.

A confirmation message indicates that the chart(s) state is changed successfully.

Import the Dashboard Configuration file

Important: Importing a dashboard only works on 10.6.x systems, because of known permission issues importing Dashboards into 10.5.x (or prior releases).

        
  1. Download the dashboard configuration file, RSA_SecurID.cfg, which is attached to this blog post.
  2. In the dashboard toolbar, select Import Dashboard icon Import Dashboard.
  3. Browse to the dashboard file in the Import Dashboard dialog.
  4. Click Import Dashboard.
  5. Reconnect the dashlet to each corresponding report dashlet by clicking the icon shown in the following illustration.
    Reconnect Dashlet image

The dashboard is displayed in the UI.

Choose Dashlet Charts

After importing the Dashboards, the RSA SecurID Dashboard Dashlets need to be associated with corresponding dashlet charts.

 

After the Dashboard is imported, the screen looks something like this:

blank dashboard

 

To select charts for the dashlets:

  1. Click on the Dashlet setup Icon, dashlet setup icon.
    The dashlet Options dialog box is displayed.
    dashlet options
  2. Click Browse to choose the chart to display.
  3. On the Select Charts windows under the Groups menu, select the Identity folder.
    Select Chart screen
  4. Select the RSA SecurID folder.
  5. For each chart listed, select its checkbox and then click Select.
  6. In the Options dialog box, click Browse and select the chart that matches the name shown in the Title.
  7. Click Select.
  8. Click Apply.
  9. Repeat steps 1–8 for each dashlet in the dashboard.

Dependencies

The RSA SecurID Dashboard only applies to customers collecting from logs. Thus, All the dashlets for this dashboard have a medium of Log.

 

The following table describes the dependencies for each dashlet, as well as other details.

 

DashletDependencies
Report RuleReport ChartOther
RSA SecurIDBadPIN Good Token CodeRSA SecurIDBadPIN Good Token CodeRSA SecurIDBadPIN Good Token CodeThe RSA Authentication Manager and User Credential Manager event source (log parser rsaacesrv) is required.
RSA SecurIDBadPIN Previous Token CodeRSA SecurIDBadPIN Previous Token CodeRSA SecurIDBadPIN Previous Token Code
RSA SecurIDBadToken Code Bad PINRSA SecurIDBadToken Code Bad PINRSA SecurIDBadToken Code Bad PIN
RSA SecurIDBadToken Code Good PINRSA SecurIDBadToken Code Good PINRSA SecurIDBadToken Code Good PIN
RSA SecurIDStatic Passcode AuthenticationRSA SecurIDStatic Passcode AuthenticationRSA SecurIDStatic Passcode Authentication
RSA SecurIDToken Code ReuseRSA SecurIDToken Code ReuseRSA SecurIDToken Code Reuse
RSA SecurIDUnknownUser Failed LoginRSA SecurIDUnknownUser Failed LoginRSA SecurIDUnknownUser Failed Login
RSA SecurIDAccount LockoutsRSA SecurIDAccount LockoutsRSA SecurIDAccount Lockouts

Filter Blog

By date: By tag: